Fix issues found when fuzzing Apache POI via Jazzer

Add some additional allocation limits to avoid OOM in
some more cases with some broken input files

git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1895922 13f79535-47bb-0310-9956-ffa450edef68

5 files changed, 30 insertions, 5 deletions

diff --git a/poi-scratchpad/src/main/java/org/apache/poi/hdgf/pointers/PointerFactory.java b/poi-scratchpad/src/main/java/org/apache/poi/hdgf/pointers/PointerFactory.java
index bb1d064369..504e242104 100644
--- a/poi-scratchpad/src/main/java/org/apache/poi/hdgf/pointers/PointerFactory.java
+++ b/poi-scratchpad/src/main/java/org/apache/poi/hdgf/pointers/PointerFactory.java
@@ -18,6 +18,7 @@
 package org.apache.poi.hdgf.pointers;
 
 import org.apache.poi.hdgf.streams.PointerContainingStream;
+import org.apache.poi.util.IOUtils;
 import org.apache.poi.util.LittleEndian;
 
 /**
@@ -25,10 +26,14 @@ import org.apache.poi.util.LittleEndian;
  *  of the file
  */
 public final class PointerFactory {
-    private int version;
+    private static final int MAX_NUMBER_OF_POINTERS = 100_000;
+
+    private final int version;
+
     public PointerFactory(int version) {
         this.version = version;
     }
+
     public int getVersion() { return version; }
 
     /**
@@ -71,6 +76,12 @@ public final class PointerFactory {
         // How much to skip for the num pointers + any extra data?
         int skip = parent.getPostNumPointersSkip();
 
+        if (numPointers < 0) {
+            throw new IllegalArgumentException("Cannot create container pointers with negative count: " + numPointers);
+        }
+
+        IOUtils.safelyAllocateCheck(numPointers, MAX_NUMBER_OF_POINTERS);
+
         // Create
         int pos = numPointersOffset + skip;
         Pointer[] childPointers = new Pointer[numPointers];
diff --git a/poi-scratchpad/src/main/java/org/apache/poi/hpbf/model/qcbits/QCPLCBit.java b/poi-scratchpad/src/main/java/org/apache/poi/hpbf/model/qcbits/QCPLCBit.java
index 0879e394cf..af5a138e4f 100644
--- a/poi-scratchpad/src/main/java/org/apache/poi/hpbf/model/qcbits/QCPLCBit.java
+++ b/poi-scratchpad/src/main/java/org/apache/poi/hpbf/model/qcbits/QCPLCBit.java
@@ -17,6 +17,7 @@
 
 package org.apache.poi.hpbf.model.qcbits;
 
+import org.apache.poi.util.IOUtils;
 import org.apache.poi.util.LittleEndian;
 import org.apache.poi.util.StringUtil;
 
@@ -26,8 +27,10 @@ import org.apache.poi.util.StringUtil;
  *  format is determined by the type of the PLCs.
  */
 public abstract class QCPLCBit extends QCBit {
-    private int numberOfPLCs;
-    private int typeOfPLCS;
+    private static final int MAX_NUMBER_OF_PLCS = 1000;
+
+    private final int numberOfPLCs;
+    private final int typeOfPLCS;
     /**
      * The data which goes before the main PLC entries.
      * This is apparently always made up of 2 byte
@@ -53,6 +56,7 @@ public abstract class QCPLCBit extends QCBit {
         typeOfPLCS = (int)LittleEndian.getUInt(data, 4);
 
         // Init the arrays that we can
+        IOUtils.safelyAllocateCheck(numberOfPLCs, MAX_NUMBER_OF_PLCS);
         plcValA = new long[numberOfPLCs];
         plcValB = new long[numberOfPLCs];
     }
diff --git a/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFSlideShowImpl.java b/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFSlideShowImpl.java
index 09dfffbcb9..931b2df2de 100644
--- a/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFSlideShowImpl.java
+++ b/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFSlideShowImpl.java
@@ -91,6 +91,7 @@ public final class HSLFSlideShowImpl extends POIDocument implements Closeable {
 
     //arbitrarily selected; may need to increase
     private static final int DEFAULT_MAX_RECORD_LENGTH = 200_000_000;
+    private static final int MAX_DOCUMENT_SIZE = 100_000_000;
     private static int MAX_RECORD_LENGTH = DEFAULT_MAX_RECORD_LENGTH;
 
     // Holds metadata on where things are in our document
@@ -233,7 +234,7 @@ public final class HSLFSlideShowImpl extends POIDocument implements Closeable {
         // Grab the document stream
         int len = docProps.getSize();
         try (InputStream is = dir.createDocumentInputStream(docProps)) {
-            _docstream = IOUtils.toByteArray(is, len);
+            _docstream = IOUtils.toByteArray(is, len, MAX_DOCUMENT_SIZE);
         }
     }
 
diff --git a/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFTextParagraph.java b/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFTextParagraph.java
index 98218e2d23..129c61c0f3 100644
--- a/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFTextParagraph.java
+++ b/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFTextParagraph.java
@@ -86,6 +86,8 @@ import org.apache.poi.util.Units;
 public final class HSLFTextParagraph implements TextParagraph<HSLFShape,HSLFTextParagraph,HSLFTextRun> {
     private static final Logger LOG = LogManager.getLogger(HSLFTextParagraph.class);
 
+    private static final int MAX_NUMBER_OF_STYLES = 10_000;
+
     // Note: These fields are protected to help with unit testing
     // Other classes shouldn't really go playing with them!
     private final TextHeaderAtom _headerAtom;
@@ -1551,7 +1553,11 @@ public final class HSLFTextParagraph implements TextParagraph<HSLFShape,HSLFText
 
         for (int csIdx = 0; csIdx < charStyles.size(); csIdx++) {
             TextPropCollection p = charStyles.get(csIdx);
-            for (int ccRun = 0, ccStyle = p.getCharactersCovered(); ccRun < ccStyle;) {
+            int ccStyle = p.getCharactersCovered();
+            if (ccStyle > MAX_NUMBER_OF_STYLES) {
+                throw new IllegalStateException("Cannot process more than " + MAX_NUMBER_OF_STYLES + " styles, but had paragraph with " + ccStyle);
+            }
+            for (int ccRun = 0; ccRun < ccStyle;) {
                 HSLFTextParagraph para = paragraphs.get(paraIdx);
                 List<HSLFTextRun> runs = para.getTextRuns();
                 trun = runs.get(runIdx);
diff --git a/poi-scratchpad/src/main/java/org/apache/poi/hwpf/model/PlexOfCps.java b/poi-scratchpad/src/main/java/org/apache/poi/hwpf/model/PlexOfCps.java
index 6c8ee4dd46..fc2f85900c 100644
--- a/poi-scratchpad/src/main/java/org/apache/poi/hwpf/model/PlexOfCps.java
+++ b/poi-scratchpad/src/main/java/org/apache/poi/hwpf/model/PlexOfCps.java
@@ -37,6 +37,7 @@ public final class PlexOfCps {
 
     //arbitrarily selected; may need to increase
     private static final int MAX_RECORD_LENGTH = 10_485_760;
+    private static final int MAX_NUMBER_OF_PROPERTIES = 100_000;
 
     private int _iMac;
     private final int _cbStruct;
@@ -57,6 +58,8 @@ public final class PlexOfCps {
         // Figure out the number we hold
         _iMac = (cb - 4) / (4 + cbStruct);
 
+        IOUtils.safelyAllocateCheck(_iMac, MAX_NUMBER_OF_PROPERTIES);
+
         _cbStruct = cbStruct;
         _props = new ArrayList<>(_iMac);